Others

Introduction to NDepend : Static Code Analysis Tool

June 16, 2018 .NET, .NET Core, .NET Framework, ASP.NET, Best Practices, C#.NET, Code Analysis, Code Quality, Dynamic Analysis, Emerging Technologies, Help Articles, Microsoft, Static Analysis, Tech-Trends, Tools, Tools, Visual Studio 2017, VisualStudio, Windows No comments , , , , , ,

As a developer, you always have to take the pain of getting adapted to the best practices and coding guidelines to be followed as per the organizational or industrial standards.  Easy way to ensure your coding style follows certain standard is to manually analyze your code or use a static code analyzer like FxCop, StyleCop etc. Earlier days I have been a fan of FxCop as it was free and it provides me all necessary general guidelines in terms  of improving my solution.

In this modern world of programming everything needs to be automated, as it saves time and money in terms of automating repetitive tasks and improves efficiency. This is where static code analysers coming effective.

What is Static Code Analysis?

Static program analysis is the analysis of computer software that is performed without actually executing programs, on some version of the program source code, and in the other cases, some form of the object code or intermediate compiled code .

Sophistication of static program analysis increases is based on how deep they analyze in terms of behavior of individual statements and declarations, to analyzing the entire source code.

PS: Analysis performed on executing programs is known as dynamic analysis.

In this article I will give you an overview of one such premier static code analysis tool that can be used for your daily development routine plus use it for CI integration for DevOps efficiency.

NDepend:

NDepend is a static analysis tool for .NET, specifically for managed code:  NDepdend supports a large number of code metrics, allowing to visualize dependencies using directed graphs and dependency matrix. It also performs code base snapshots comparisons, and validation of architectural and quality rules.

The important capabilities of NDepend are:

  • Dependency Visualization through dependency matrix and graphs.
  • Analyse and generate software quality metrics – as per the documentation it supports 82 quality metrices.
  • Declarative rule support through LINQ queries, and it is called CQLinq and comes with a large number of predefined CQLinq rules.
  • Integration support for Cruise Control.Net, SonarCube, am City. Code rules can be configured to be checked automatically in Visual Studio or during continuous integration(CI).

License: NDepend is a commercial tool with licensing options as below:

  1. Developer seats – $477 approx. / per seat.
  2. Build Machine seats  – $955 approx. / per seat.

** You could get volume discount if you bulk procure your licenses.

Installation: 

Once you obtained license you will able to download NDepend_2018.1.1.9041.zip, is latest version available while I write this article. Extract the zip file into your local folder, you could see the different packages/executables within the package.

image

1.) NDepend.Console    – Command line program to execute NDepend analysis.  You would be mostly using this component on CI Build server Help

2.) NDepend.PowerTools –  Helps write your own static analyzer based on NDepend.API, or tweak existing open-source Power Tools. Help

image

3.) NDepend.VisualStudioExtension.Installer – To install NDepend extension as part of Visual studio

image

4.) VisualNDepend – Independent visual environment for managing your NDepend tasks.

image

Visual Tool gives you different options to choose from:

  • You can analyse a Visual Studio Solution or project.
  • Analyse .NET assemblies in a folder.

image

image

image

For the demo purpose our analysis target would be one of the starter project from github –  ContosoUniversity by @alimon808.

image

image

Demo: Summary Report

image

Demo: Application Metrics

image

Demo: Dependency Dashboard:

image

Demo: Interactive Graph

image

Demo: Code Matrix View

image

Demo: Quality Gates Summary

image

Demo: Rules Summary

image

Conclusion:

NDepend is one of the best enterprise grade commercial static analyser seen so far.  There are Visual Studio Code Analysis, FxCop and Stylecop Analyzer tools available but they do not provide extensive level of analysis reports NDepend provides. Being a commercial tool it gives value for money for customers by what they need.  In terms of a day to day developer  or devops lifecycle, you can integrate NDepend in your build process, which could be simple as executing the NDepend Console and reviewing the output. With NDepend’s API it is easy to develop your own custom analysis tools based on CQLinq and NDepend.PowerTools(which is open source). You could find all the detailed help in NDepend documentation.

References:

PowerShell: Check a parameter/variable value is null

June 8, 2018 PowerShell, Scripting No comments

While you are writing PowerShell modules, with lot with parameters and you might want to verify these parameters are not ‘null’ to validate some business cases. In normal powershell inline scripting context, $variablename -eq “$null” would work :

if ($varibalename -eq $null) 
{ 
Write-Host "variable is null.Please supply the values for variablename." 
}

RECOMMENDED APPROACH:
Efficient way of checking this inside a module is to use:

if (!$variablename) 
{ 
Write-Host "variable is null.Please supply the values for variablename." 
}

If you would want to verify $variablename has any value except $null:

if ($variablename) 
{ 
Write-Host "variablename is not null. do something here." 
}

Node.js 9.x.x and npm 6.x.x – “npm audit” to identify and fix security vulnerabilities in dependencies

June 3, 2018 JavaScript, Javascript Development, Modern Web Development, Node.js, NPM, OpenSource, Package Manager, Tech Newz, TypeScript, Web No comments

nodejs-npm

It has been a while I have been reading about the major changes that areintroduced in Node.js 9.x.x / NPM 6.x.x and myself faced by Node.js application going to a toss after I upgraded to Node.js 9.x.x, as I always keep Node.js up to date in my development environment.

I use NVM(Node Virtual Manager) to switch between different version of Node.js and I love the flexiblity NVM provides. So I was able to quickly switch back to 8.x.x version, when I figured out this change.

But npm packgage downgrade did not work using “npm install –g npm@5.x.x” due to old traces of 6.x.x   I had to clean up my npm cache and do npm install again.

Introduction – The “npm audit” command:

Recently with 6.0.0 NPM team has introduced many improvements such as :

a.) Provide protection against insecure code into the workflow during your npm install . When a user downloads code from the npm Registry, npm will review the request against the Node Security Platform database and return a warning if the code contains a vulnerability.

b.) Package signing for publishers.   npm-signature field will allow users of npm packages to verify the integrity of the package regardless of the tools they use to retrieve it or the registry from which they download it.

c.) Security auditing capability (which I am covering in this article).

The audit capability, which provides an ability to perform a security audit  on your project and dependency components.  To simplify it provides a moment-in-time security review of your project’s dependency tree.

  • It will scan your project for any vulnerabilities. 
  • You can choose the option to automatically install the compatible updates vulnerable dependencies.
  • Audit reports contain information about security vulnerabilities in your dependencies.
  • This report also contains necessary steps to be taken to fixe these vulnerability. For example, by running an npm install <package>@new-version.
  • It would work very well with your private/enterprise registries such as artifactory etc. 
  • It  will allow the developer to recursively analyze trees of dependent code to identify specifically what’s insecure.

The audit command submits a description of the dependencies configured in your project to your default registry and asks for a report of known vulnerabilities.

Quick Insight on the new commands:

  • npm audit      – Scan your project for vulnerabilities and just show the details, without fixing anything.
  • npm audit [—json]      – To provide report in Json format.
  • npm audit fix   – to scan and fix all vulnerabilities
  • npm audit fix –only=prod     – to skip updating devDependecies
  • npm audit fix –force  – will install semver-major updates to all top level dependencies.
  • npm audit fix –dry-run –json   – to do a dry run on the fixes and provide you a report.

NB: Npm audit fix runs a full  npm install under the hood, all configs that apply to the “npm audit fix”  will also apply to npm install.

References:

[NPM Tip] Error: self signed certificate in certificate chain

May 10, 2018 JavaScript, Javascript Development, OpenSource, TypeScript, Web, Web Development No comments

As a developer, if you are behind a corporate proxy that assigns an intermediatory self signed SSL certificate to every request to provide secure content filtering as part of cybersecurity measures, I am sure you might have gone through the pain to get it working when working with NodeJS.

if you have Admin access to your windows machine, you could simply try the following fix:

    • Simply Add an Environment Variable
Environment Variable Name: NODE_TLS_REJECT_UNAUTHORIZED, Value: 0

image

image

Hope that solves your problem.

[NPM Tip] Rewriting the default protocol for GitHub package references

May 9, 2018 JavaScript, Javascript Development, OpenSource, TypeScript, Web, Web Development No comments

Some times as a Modern Web Developer you will face some “npm install” as some of the packages would be referring to git/ssh protocol to reference private packages from Git Hub.

This would fail when you are behind a corporate proxy.

Rewriting the default protocol for GitHub, run the following snippet in your command line snippets:

git config --global url."https://github.com/".insteadOf git@github.com
git config --global url."https://".insteadOf git://

Setting up Local NPM repository to Speedup Dev/CI Builds

April 29, 2018 Emerging Technologies, JavaScript, JavaScript, Modern Web Development, TypeScript, Web No comments , , ,

As a modern day JavaScript developer working with Node.js and NPM, it has been always any developer’s case to clean up local node modules sometimes when local build is broken. It is a tedious tasks to cleanup %appData%\npm-cache  to do a fresh install of all the modules again. Depending on the number of modules your project have, you will get stuck up for few minutes to hours to complete npm module installation depending on your Internet bandwidth.

Another scenario we can think of it on a build server or CI server, where we need to cleanup the entire modules during each build process, and ‘npm install’ would be like a fresh start, would take longer time to have your build complete.

What if we have a simple way of caching these packages locally, so that we do not have to download again from Internet every-time.  I will help you with a simple solution, that once setup will resolve some of these problems effectively.

Introducing Local-NPM


local-npm is a Node server that acts as a local npm registry. It serves modules, caches them, and updates them whenever they change. Basically it’s a local mirror, but without having to replicate the entire npm registry.

This allows your npm install commands to (mostly) work off-line. Also, your NPM modules  get faster and faster over time, as commonly-installed modules are aggressively cached.

local-npm acts as a proxy between you and the main npm registry. You run npm install commands like normal, but under the hood, all requests are sent through the local server.

 

Getting Started with Local-NPM:

Step 1: Install the module ‘local-npm’

$ npm install –g local-npm

Step 2: launch local-npm  and this will start the local npm server

$ local-npm

This will start the local npm server at localhost:5080.

http://127.0.0.1:5080

PS: Please note that, this step would take some time as this module tried to replicate the entire NPM repository remote skimdb to the local couchdb instance for efficient caching. But it will not eat up your disk space, as it caches modules based on usage only, it will not replicate the entire NPM repository.

Step 3: Validate the local-NPM registry

There is a basic NPMJS like UI to browse through local packages which can be accessed through.

http://localhost:5080/_browse.

Step 4: Then set npm to point to the local server:

$ npm set registry http://127.0.0.1:5080

Step 5: run  “npm install” of your modules and you can see that local-NPM caches these modules that you regularly use.

Incase, to switch back to default NPMJS registry, you can do:

$ npm set registry https://registry.npmjs.org

How it works?

npm is built on top of Apache CouchDB (a No-SQL db), so local-npm works by replicating the full “skimdb” database to a local PouchDB Server.

You can inspect the running database at http://127.0.0.1:16984/_utils.

References

To understand more on local-NPM and documentation visit the module repository in github@https://github.com/local-npm/local-npm